[ovs-dev] [PATCH 1/2] ovn-northd: LR respond ARP from valid subnet only.

Han Zhou zhouhan at gmail.com
Tue Aug 21 23:24:27 UTC 2018 

On Tue, Aug 21, 2018 at 3:38 PM Ben Pfaff <blp at ovn.org> wrote:
>
> On Tue, Aug 21, 2018 at 03:03:16PM -0700, Han Zhou wrote:
> > On Tue, Aug 21, 2018 at 11:36 AM Ben Pfaff <blp at ovn.org> wrote:
> > >
> > > On Sun, Aug 19, 2018 at 10:27:30PM -0700, Han Zhou wrote:
> > > > Currently ovn LR datapath responds ARP requests even if the ARP
> > > > requestor's src IP doesn't belong to the LR port's subnets. This
> > > > may generate unnecessary ARP responses and there could also be
> > > > security concerns. This patch restricts the ARP response only if
> > > > the requestor's IP matches the LR port's subnets.
> > > >
> > > > Signed-off-by: Han Zhou <hzhou8 at ebay.com>
> > >
> > > Thanks, this series seems fine and the tests pass, so I applied it to
> > > master.
> >
> > Thanks Ben. Shall we backport to at least 2.9 and 2.10? Without this,
GARP
> > request won't work for mac-binding update.
>
> How much of a problem is it in practice?  The patch series was the first
> I'd heard of the problem.

The first patch in this series may not be critical, but the second one
regarding GARP is quite important IMHO, since GARP request is very commonly
used for announcing IP-MAC bindings.
In practice, there are 2 common cases that will have problem:

1) When IP-MAC bindings update in the external network behind OVN GW. The
IPs are usually default next hop GW of OVN logical routers, or next hop of
some static routes in OVN. There is a good chance that these bindings
change after device replacement/upgrade etc. These are not frequent
operations, but once it happens it will be a big impact. Someone has to
debug this and finally delete the stale mac-binding entries manually from
SB DB, so that traffic can go through the new device.

2) When nested workloads are running behind OVN logical ports, such as,
running containers inside VMs. If we don't use child port feature, we'd
rely on mac-binding for container's IP to be accessible. If the
implementation of the container orchestration system uses GARP request to
update the neighbors, then it won't work without the GARP patch. There is a
workaround in this case - change the container orchestration system
implementation to use ARP reply to update the neighbors, but it would be
better if OVN supports the general scenario.

More information about the dev mailing list